I just installed PHPIDS on our internship hacking platform and checked some challenges. PHPIDS doesnt sees the following as an attack:

dir/..././..././folder/file.php

In my opinion it should get detected since its a common attack against a simple "../" filter. On the other hand its not your job to detect attacks against stupid filters ;) just wanted to let you know.

Nice! That was a hard one to fix - and I am not sure if it's bulletproof now. The problem was caused by a faulty length comparison between the sanitized and the untreated string resulting in a check against a single character string.

My first solution is a regular expression to check for attribute text flowing out of the tag after the HTMLPurifier treatment and blurring the results. I am sure this fix needs several more iterations to work in 99.99% of all situations but it seems okay for now.

Danke :) I just committed a new version of the internal _diff() method - fixing a lot of other bugs too. It should be way faster since I got rid of a lot of legacy overhead. There were some substantial problems your vectors pointed out nd I am relatively sure to have most of the fixed.